A data access request made by a complainant to an optometry centre
The Complaint
The complainant submitted a data access request (“the Request”) to an optometry centre (“the Centre”) pursuant to the PDPO, requesting copies of reports and fundus photos in relation to the ophthalmic examinations conducted on him since more than ten years ago. The Centre informed the complainant that they would only provide him with the reports within five years from the date of his last visit. The complainant found this unreasonable and filed a complaint with the PCPD.
Outcome
The Centre stated that they had never intended to refuse the Request. Nonetheless, in view of the requirement set out in the Code of Practice issued by regulatory body of the industry that an optometrist must keep records of patients for a minimum period of five years from the date of last consultation, their optometrist evaluated the clinical relevance of the information by exercising professional judgment, and advised that it would be adequate for the complainant to obtain medical records in the past five years. Their intention was to lower the fee to be borne by the complainant in respect of the Request.
After PCPD’s intervention, the Centre contacted the complainant to provide him with a list of the dates of his ophthalmic examinations and the relevant examination items, and they agreed to provide the requested data to the complainant once he confirmed the requested items and paid the relevant fees. The PCPD also issued an advisory letter to the Company in response to the incident.
Lesson learnt
According to section 19 of the PDPO, if the data user holds the personal data requested by the data requestor, they must inform the requestor that they hold the requested data and provide a copy of that data to him, except where the data user intends to refuse to comply with the data access request under section 20 of the PDPO.
When handling data access requests, data users should note the aforesaid requirements and should not impose restrictions on the period within which data can be requested. Besides, data users’ evaluation on the reference value of the requested data is not a factor for determining whether to provide the data. If the data user holds the relevant data, it is required to provide a copy of that data to the requestor in accordance with section 19 of the PDPO.
(Uploaded in March 2026)